class RuboCop::Cop::GitlabSecurity::PublicSend

Checks for the use of `public_send`, `send`, and `__send__` methods.

If passed untrusted input these methods can be used to execute arbitrary methods on behalf of an attacker.

@example

# bad
myobj.public_send("#{params[:foo]}")

# good
case params[:foo].to_s
when 'choice1'
  items.choice1
when 'choice2'
  items.choice2
when 'choice3'
  items.choice3
end

Constants

MSG

Public Instance Methods

on_send(node) click to toggle source
# File lib/rubocop/cop/gitlab-security/public_send.rb, line 30
def on_send(node)
  send?(node) do |match|
    next unless node.arguments?

    add_offense(node, location: :selector, message: format(MSG, match))
  end
end